postfix-3.5.6

postfix/HISTORY

@@ -24809,3 +24809,13 @@ Apologies for any names omitted.
 	settings in a system-wide OpenSSL configuration file, causing
 	interoperability problems after an OS update. File:
 	tls/tls_client.c, tls/tls_server.c.
+
+20200726
+
+	Bugfix (introduced: Postfix 3.5.5): part of a memory leak
+	fix was backported to the wrong place. File: tls/tls_misc.c.
+
+	The Postfix 3.5.5 workaround did not explicitly override
+	the system-wide OpenSSL configuration of allowed TLS protocol
+	versions, for sessions where the remote SMTP client sends
+	SNI. It's better to be safe than sorry. File: tls/tls_server.c.

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200724"
-#define MAIL_VERSION_NUMBER	"3.5.5"
+#define MAIL_RELEASE_DATE	"20200726"
+#define MAIL_VERSION_NUMBER	"3.5.6"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/tls/tls_misc.c

@@ -922,8 +922,6 @@ void    tls_get_signature_params(TLS_SESS_STATE *TLScontext)
 	 */
 	if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
 	    locl_sig_dgst = OBJ_nid2sn(nid);
-
-	X509_free(cert);
     }
     /* Signature algorithms for the peer end of the connection */
     if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
@@ -965,6 +963,8 @@ void    tls_get_signature_params(TLS_SESS_STATE *TLScontext)
 	 */
 	if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
 	    peer_sig_dgst = OBJ_nid2sn(nid);
+
+	X509_free(cert);
     }
     if (kex_name) {
 	TLScontext->kex_name = mystrdup(kex_name);

postfix/src/tls/tls_server.c

@@ -530,6 +530,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     /* Enable all supported protocols */
 #if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
     SSL_CTX_set_min_proto_version(server_ctx, 0);
+    SSL_CTX_set_min_proto_version(sni_ctx, 0);
 #endif
 
     /*